Mobile Devices Acceptable Use Policy

Abstract: This policy defines the acceptable use of mobile devices at ITPROSEC.

1       Personal Mobile Devices Acceptable Use Policy

1.1       Introduction

This policy defines how ITPROSEC data can be accessed with the use of mobile devices and acceptable use of these devices while conducting ITPROSEC business.  The policy is designed to minimize the risk of compromising privacy or confidentiality of ITPROSEC business information while allowing employees and contingent workers to use the device.

1.2       Purpose

The purpose of this policy is to define the operational rules and restrictions for ITPROSEC employees who have legitimate business reasons of accessing ITPROSEC business data through the use of mobile devices.  This policy applies to any ITPROSEC managed device.

1.3       Scope

The Mobile Devices Acceptable Use Policy applies to those who access information systems, business applications, networks and information owned by ITPROSEC using mobile devices:

  • Salaried, part-time and contract hourly employees
  • Contingent Workers

The policy applies but is not limited to all devices that fit the following classification:

  • Smartphones (i.e. iPhone, etc.)
  • Tablet devices

ITPROSEC reserves the right to determine which mobile devices may be used for business purposes.  The list of acceptable devices is provided in Appendix A and can be changed anytime based on strategy and business needs.

The Mobile Devices Acceptable Use Policy also applies to all information systems, data, business applications and networks, used or administered by ITPROSEC and to all computational environments operated by, or operated on behalf of ITPROSEC by a Third Party.

The document will use “Third Parties” as a collective term to denote:

  • Third parties not under contractual terms to ITPROSEC but providing a service to ITPROSEC as mutually agreed,
  • Approved Third Parties that are to provide ITPROSEC with a commercial service under a yet to be executed agreement,
  • Contractors providing services to ITPROSEC as equivalent employees
  • Trading Partners, (may or may not be within a mutually executed contract)
  • Suppliers of products, services (including network services) and information,
  • Suppliers of remote systems support and maintenance,
  • Any other entity needing to connect with ITPROSEC computational environment to provide a service as mutually agreed.
  • Addition of new hardware, software, and/or related components to provide additional mobile device connectivity will be managed at the sole discretion of Information Services
  • This policy is complementary to any previously implemented policies dealing specifically with acceptable use of computer or mobile devices with access to ITPROSEC data.  Non-sanctioned use of mobile devices to back up, store, and otherwise access any enterprise-related data is strictly forbidden.

Deviation from this policy is acceptable if an information security threat and risk assessment has been completed with a documented business impact analysis and the Information Owner(s) have signed a risk acceptance form.  The Risk Acceptance Form shall be reviewed and endorsed by the Chief Information Security Officer (CISO).

1.4       Policy Statements

  1. It is the responsibility of any individual who uses a mobile device to access ITPROSEC corporate resources to ensure that all security protocols normally used in the management of data on conventional network infrastructure (e.g. company provided  desktop/laptop) are also applied here.  It is imperative that any mobile device that is used to conduct ITPROSEC business be utilized appropriately, responsibly, and ethically.
  2. Prior to initial business use of mobile devices, all mobile devices must be approved and procured by ITPROSEC IS.  ITPROSEC’s information Services will maintain a list of approved mobile devices contained in this document and it will be published on ITPROSEC Intranet under ……TBD
  3. All mobile devices must be protected by a password.  Whenever possible the device should be configured in accordance with ITPROSEC’s password standards.  ITPROSEC employees and contingent workers agree to never disclose their passwords to anyone, even to family members, if business work is conducted from home.
  4. All users of mobile devices must employ reasonable physical security measures.  ITPROSEC employees and contingent workers are expected to secure all such devices whether they are actually in use. The device should be kept locked when not in use and unattended. Special care should be taken when traveling by locking the device in the safe of the hotel room when not in use and unattended.
  5. Any information marked or deemed to be classified, as per ITPROSEC data classification defined by the Corporate Information Security Policy, is not to be stored unencrypted on personal mobile devices.
  6. ITPROSEC’s IS will strive to manage security policies, business applications, and data access centrally using the technology solutions it deems suitable and available on the market.  Any attempt to contravene or bypass that security implementation will be deemed a breach of trust and will be dealt with in accordance with ITPROSEC’s overarching security policy.
  7. In the event of a lost or stolen mobile device, it is incumbent on the user to report the incident to ITPROSEC Help Desk immediately at [email protected] or (416) xxx-1234.  The device will be remotely wiped of ALL DATA and locked to prevent access to ITPROSEC corporate resources and confidential data.  The remote wipe will destroy all data on the device, both business and personal.  If the device is recovered, it can be submitted to IS for re-provisioning.  Before connecting the device to corporate resources, ITPROSEC employees and contingent workers must sign the ITPROSEC Remote Wipe Waiver form. This form ensures users have agreed to the potential destruction and loss of personal data stored on their device in the event a remote wipe becomes necessary. The form can be found in Appendix B of this document.
  8. Managers must notify IS immediately when an employee or contingent worker leaves the company. The personal mobile device must be remotely wiped to ensure ITPROSEC confidential information is destroyed from the device at the end of employment contract or the completion of business at ITPROSEC. The remote wipe will erase both business and personal information.
  9. Usage of a mobile device to capture images, video, or audio, whether native to the device or through third-party applications, is prohibited within restricted areas of the workplace.
  10. ITPROSEC reserves the right, through policy enforcement and any other internal controls it deems necessary, to limit the ability of the end user to transfer data to and from specific resources on the enterprise network.
  11. ITPROSEC reserves the right, through policy enforcement and any other internal controls it deems necessary, to control what type of applications are allowed to be installed on the mobile devices and  the ability of the end user to install these applications.
  12. ITPROSEC reserves the right to monitor the activity on the personal device.  The resulting logs can be used for investigation of a possible policy breach or misuse.  The end user agrees to and accepts that all the activity initiated from the personal mobile device in connection with business or personal use, may be monitored and/or recorded to identify unusual or suspicious activity.
  13. ITPROSEC employees and contingent workers will make or allow no modifications to the hardware or software that change the nature of the device in a significant way (e.g. “jail-breaking” the device) without the express approval from ITPROSEC’s IS. 
  14. ITPROSEC Employees agree to immediately report to their manager and ITPROSEC Help Desk (at [email protected] or (416) xxx-1234 any incident or suspected incident of unauthorized data access, data loss, and/or disclosure of company resources.
  15. ITPROSEC employees and contingent workers will not be granted access to corporate resources using a mobile device without accepting the terms and conditions of this policy and signing the ITPROSEC Remote Wipe Waiver found in the Appendix B of this document.

1.5       Roles and Responsibilities

Please refer to the ITPROSEC Corporate Information Security policies for details.  Additionally, the following roles and responsibilities are augmented as per below:

1.5.1     Branch Management

  • Assessing risk arising from access to corporate resources from mobile devices.
  • Authorising ITPROSEC employees and contingent workers conducting business with ITPROSEC to access information resources, using mobile devices when this is considered appropriate.
  • Requesting IS to revoke access to ITPROSEC resources using mobile devices when the business/contractual/employment relationship ends. This request can be delegated to direct reports.
  • Ensuring direct reports or any other end users accessing their resources are complying with this policy and taking the necessary corrective action where deviation from this policy is discovered.
  • Collecting the mobile device from departing employees or contractors and returning to IS

1.5.2     Information Services

  • Reviewing any signed agreement(s) to determine compliance with ITPROSEC information security policies and standards.
  • Authorising ITPROSEC employees and contingent workers conducting business with ITPROSEC to access information resources, using mobile devices when this is considered appropriate.
  • Revoking authorization to access ITPROSEC resources using mobile devices when the business/contractual/employment relationship ends.
  • Maintaining the list of supported personal mobile devices.
  • Maintain an inventory list of personal mobile devices that have access to ITPROSEC data.
  • Monitoring user activity on mobile devices and reporting to Branch management any policy violations
  •  

1.5.3     End Users

Information Users are responsible for:

  • Observing the policy and following the access authorization process.
  • Ensure due diligence when using mobile devices
  • Giving consent and agreement to this policy by signing the ITPROSEC Remote Wipe Waiver.

1.6       Compliance

  • Please refer to the ITPROSEC Information Security Office for details

1.7       Authority

  • Please refer to the Information Security Office for details

2       Appendix A

List of Supported Mobile Devices

No Make Type Model Services
1 Apple Smart phone device Tablet device iPhone iPad EmailCalendarContacts
         
         

3       Appendix B

Remote Wipe Waiver

I, [employee name], the custodian of mobile device Serial No. [serial number], have read and understand the above Mobile Device Acceptable Use Policy, and consent to have the device wiped in the event of device being lost, stolen or at the end of employment contract or completion of business at ITPROSEC, and I agree to adhere to the rules outlined therein. I understand that ITPROSEC will wipe down both business and personal information on my device.

         
Employee/Contingent Worker Name   Employee/Contingent Worker Signature   Date
         
Business Unit Vice President Name   VP Signature   Date

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.